Critical Vulnerabilities in Tenda Routers

Overview 

Three critical vulnerabilities have been discovered in Tenda W12 and i24 routers running firmware versions 3.0.0.4(2887) and 3.0.0.5(3644). These vulnerabilities involve stack-based buffer overflows in different functions of the /bin/httpd binary, allowing remote attackers to execute arbitrary code or crash the device. All three CVEs have a CVSS-B score of 8.8 (HIGH), indicating significant risk.

Affected Products

• Tenda W12

• Tenda i24

• Firmware Versions: 3.0.0.4(2887), 3.0.0.5(3644)

• Published Date: 04/ 19/ 2025

---

1. CVE-2025-3820: Buffer Overflow in cgiSysUplinkCheckSet via hostIp1/hostIp2

Description

This vulnerability exists in the cgiSysUplinkCheckSet function within /bin/httpd. Attackers can exploit it by sending overly long strings in the hostIp1 or hostIp2 parameters, leading to a stack-based buffer overflow.

Attack Scenario

An attacker sends a specially crafted HTTP POST request to the router’s web interface:

http

Copy

Download

POST /goform/SysUplinkCheckSet HTTP/1.1
Host: 192.168.0.1
Content-Type: application/x-www-form-urlencoded

hostIp1=AAAAAAAAAAAAAAAA...[500+ bytes]...AAAA&hostIp2=BBBBBBBB...[500+ bytes]...BBBB

Since the function does not properly validate input length, the excessive data overflows the stack buffer, potentially allowing remote code execution (RCE) or a denial-of-service (DoS) condition.

Impact 

• Remote code execution with root privileges (since /bin/httpd runs as root).

• Complete device takeover.

• Possible persistence if firmware is modified.

---

2. CVE-2025-3803: Buffer Overflow in cgiSysScheduleRebootSet via rebootDate

Description

The cgiSysScheduleRebootSet function in /bin/httpd fails to properly sanitize the rebootDate parameter, leading to a stack-based buffer overflow when an overly long date string is provided.

Attack Scenario

An attacker crafts a malicious request to the router’s reboot scheduling feature:

http

Copy

Download

POST /goform/SysScheduleRebootSet HTTP/1.1
Host: 192.168.0.1
Content-Type: application/x-www-form-urlencoded

rebootDate=2025-01-01AAAAAAAA...[500+ bytes]...AAAA

If the rebootDate parameter exceeds the expected length, it corrupts the stack, potentially allowing arbitrary code execution or crashing the router.

Impact

• Remote code execution (RCE) leading to full device compromise.

• Persistent backdoor installation.

• Disruption of network services (DoS).

---

3. CVE-2025-3802: Buffer Overflow in cgiPingSet via pingIP

Description

The cgiPingSet function in /bin/httpd mishandles long input in the pingIP parameter, resulting in a stack-based buffer overflow.

Attack Scenario

An attacker sends a manipulated ping request:

http

Copy

Download

POST /goform/PingSet HTTP/1.1
Host: 192.168.0.1
Content-Type: application/x-www-form-urlencoded

pingIP=8.8.8.8AAAAAAAA...[500+ bytes]...AAAA

If the pingIP parameter exceeds the buffer limit, it overflows the stack, potentially allowing arbitrary code execution.

Impact

• Remote code execution (RCE).

• Network reconnaissance (if attacker gains shell access).

• Router crash leading to DoS.

---

Mitigation & Recommendations

1. Patch Immediately:

   • Check for firmware updates from Tenda. If none are available, consider replacing the router.

2. Network Segmentation:

   • Isolate affected routers from critical internal networks.

3. Disable Remote Management:

   • Turn off WAN-side admin access in router settings.

4. Intrusion Detection:

   • Monitor for unusual HTTP requests to /goform/ endpoints.

5. Exploit Mitigation:

   • Deploy stack canaries or ASLR (if supported by firmware).

---

Conclusion

These vulnerabilities (CVE-2025-3820, CVE-2025-3803, CVE-2025-3802) pose a severe risk to Tenda W12 and i24 routers, allowing attackers to execute arbitrary code remotely. Since exploits are already public, immediate action is required to prevent compromise. Users should apply patches, restrict access, or replace vulnerable devices if no fix is available.